OilRig APT Group
OilRig APT Group (also known as APT34 or HelixKitten) is a group that is linked to the Iranian government. They are responsible for creating PowerShell-based backdoors and targeting government agencies and companies from the Middle East. Information They targeted the following government agencies and companies: *Dubai Media Inc *Etihad Airways *Abu Dhabi Airports *Emirates National Oil *Lamprell Energy Ltd. *Amiri Diwan of Kuwait *Oman Administrative Court *Emirates Prime Minister Office *National Security Agency of Bahrain. Types This is a list of the tools and trojans they did: *TwoFace *Poison Frog *ISMDoor *ISMAgent *Agent Injector *HyperShell *HighShell *Fox Panel *Webmask *Jason The Leak In mid-March 2019, an unknown entity appeared on several hacking forums and Twitter with the user handle @Mr_L4nnist3r claiming they had access to data dumps involving internal tools and data used by the OilRig group. The initial claim included several screenshots of systems potentially in use by OilRig operators for attacks, a script that appeared to be used for DNS hijacking, and a password protected archive with the filename Glimpse.rar purporting to contain the command and control server panel for an OilRig backdoor. Soon after, a Twitter account with the user handle @dookhtegan appeared claiming they also had access to data dumps involving internal tools and data used by the OilRig group, as seen in Figure 1. This account used an image from 2004 of a high-profile Iranian asylum seeker named Mehdy Kavousi who famously sewed his eyes and mouth shut to signify that rejecting his asylum claim and sending him back to Iran would be akin to putting him to death. This account continued a series of tweets voicing protest against the OilRig group and attributing its operations with a specific nation state and organization. Unit 42 is unable to validate this level of attribution, but a 2018 report from the United States National Counterintelligence and Security Center stated the OilRig group originates from an Iranian nexus. The account continued to post tweets with direct links to operational data dumps hosted on an anonymous file sharing service. The files posted included the previously password protected archive Glimpse.rar, as well as new archives containing hundreds of harvested credentials from compromised organizations along with details on exposed login prompts. There were also links to webshells previously and possibly currently deployed, the webshell source codes, as well as another backdoor and its server component. This account was suspended in short order, but immediately after the suspension, an alternate account with the username @dookhtegan1 with the same stylized profile image appeared and is still currently active. This account mirrors the previous messages of exposing the OilRig group but no longer contains links to data dumps, instead instructing those that are interested in the data to join them in a private Telegram channel. Figure 2 shows this second Twitter account providing a Telegram channel to leak the data. Data Dump Contents The contents of the data dump includes various types of datasets that appear to be results from reconnaissance activity, initial compromises, and tools the OilRig operators use against target organizations. The affected organizations spread across the spectrum of industry verticals, spanning from government, media, energy, transportation and logistics, and technology service providers. The datasets included: *Stolen credentials *Potential systems to login to using stolen credentials *Deployed webshell URLs *Backdoor tools *Command and control server component of backdoor tools *Script to perform DNS hijacking *Documents identifying specific individual operators *Screenshots of OilRig operational systems Malware information Glimpse Glimpse is a PowerShell script that contains the comment version 2.2, which suggests the OilRig group considers this a specific version of the tool and that it likely has included prior versions. The Glimpse panel, versioned “v1.0.5” is the tool that the actor uses to organize the various agents installed on compromised systems. The panel allows the actors to issue commands in addition to uploading files to and downloading files from the compromised endpoints. According to the compilation time, the developer of the Glimpse panel created this tool on September 1, 2018. Figure 3 shows the main Glimpse panel with three different agents listed in a test environment. To interact with a specific agent, the actor selects the entry to open in the agent control panel. The agent control panel has three tabs that have interfaces that allow the actor to issue commands, as well as upload and download files to and from the agent. The actor clicks the command to view the results in a popup window named “Result Viewer”. The server portion of Glimpse works in unison with the panel by acting as a DNS server, which is written in JavaScript and runs in the Node.js runtime. The server has a filename of srvr.js, which according to the Read me.txt file is meant to be run using forever start srvr.js in Node.js. Figure 6 shows the Glimpse server responding to an inbound beacon from the Glimpse agent and sending a command whoami. Poison Frog Like the Glimpse C2 server, the Poison Frog server was written in JavaScript and will run in Node.js. The Poison Frog server handles both the HTTP and DNS tunneling channels used by the hUpdater.ps1 and dUpdater.ps1 scripts. According to the server’s code, the default command that it would issue to newly infected systems was a batch script contained in a file named 0000000000.bat. The data dump included the 0000000000.bat file, which when executed on an infected system would run the following commands to gather information to be sent back to the C2 server: *whoami *hostname *ipconfig /all *net user /domain *net group /domain *net group “domain admins” /domain *net group “Exchange Trusted Subsystem” /domain *net accounts /domain *net user *net localgroup administrators *netstat -an *tasklist *systeminfo *reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” *schtasks /query /FO List /TN “GoogleUpdatesTaskMachineUI” /V | findstr /b /n /c:”Repeat: Every:” *WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List It uses echo commands to include headers before each of the command results. Webshells The data dump included several different webshells apparently used by OilRig to interact with compromised servers. The three webshells included in the dump had names HyperShell, HighShell, and Minion, but it appears that Minion is likely a variant of HighShell based on code, filename, and functionality overlaps. The HyperShell and HighShell webshells are variants of what we track as TwoFace, with HyperShell being related to the TwoFace loader and HighShell being related to the TwoFace payload. HyperShell HyperShell or TwoFace++ used the 3DES cipher and a SHA256 hash of a string provided by the actor and used as a key. Like many initial TwoFace loader samples, the HyperShell sample includes a string within the HTML tags and that is displayed in the browser if a password is not supplied and/or the HyperShell loader is unable to extract the embedded payload webshell. The pre tags within the HyperShell sample are: <%= Server.HtmlEncode(“NxKK7a”) %> The string in the pre tags is the actor provided password, which the webshell uses as a key to decrypt the embedded payload. The process in which the HyperShell loader webshell uses the actor provided password to authenticate and decrypt the embedded webshell: *Append a string to the password that acts as a salt *Obtain the SHA1 hash of the resulting string containing the password and salt *Base64 encode the SHA1 hash *Compare the encoded hash with hardcoded base64 string *If the encoded hash matches hardcoded base64 string then the inbound request is authenticated *Generates the SHA256 hash of the password string *Base64 encodes the SHA256 hash and uses the first 24 characters as a key *Uses 24-character key and the 3DES cipher to decrypt the embedded webshell The actor provided password of NxKK7a has the hardcoded salt string aqB2nU65TgFoEfdVqiAddBQLInc9appended to it. The resulting string of NxKK7aaqB2nU65TgFoEfdVqiAddBQLInc9 has a SHA1 hash of 9d3ff106fbc3508b8453c7d6f285543d0b9c2721, which is base64 encoded to nT/xBvvDUIuEU8fW8oVUPQucJyE=. The hardcoded base64 encoded password within the sample is nT/xBvvDUIuEU8fW8oVUPQucJyE=, which confirms that the string provided in the pre tags is the password. Once authenticated, the TwoFace++ loader uses the password to decrypt the embedded webshell. To use the password as a key for 3DES, TwoFace++ will generate the SHA256 password of the NxKK7a string that results in a hash of 11f66b55f3d24303621e5ef9565b02a576cc58bc5f8789cae96c3d400064b90e. The SHA256 hash is then base64 encoded, which results in an encoded string of EfZrVfPSQwNiHl75VlsCpXbMWLxfh4nK6Ww9QABkuQ4=, of which the first 24 characters are used as the 3DES key. HighShell HighShell is a webshell that has multiple versions of itself. The HighShell v7.1 variant from the data dump contains similar functionality to its predecessors and continued the tabular approach but expanded even further by splitting out the main functionality across multiple tabs, specifically “Command”, “Explorer”, “Upload”, “Download”, “Sql Server” and “Change Time”. The data dump also included an archive named ShellLocal-v8.8.5.rar that contains another HighShell variant. The archive name would suggest the HighShell variant was version v8.8.5, but the user interface suggested it was version 8.6.2, as seen in Figure 15. This variant of HighShell shares code from its predecessors, but it appears that OilRig re-architected this webshell to include a front end user interface that interacts with a back end script via AJAX web requests. In addition to the change in architecture, this version of HighShell has an enhanced interface as well. The 8.6.2 version of HighShell shares significant functionality with its predecessors, but also contains several new and interesting functionalities as well. The interesting features of this version of HighShell includes several executable modules, a network downloader functionality, and a spy check feature. HighShell 8.6.2 includes the ability to use several modules included with the webshell. The modules are PE executables that come prepackaged with the webshell that further extend its capabilities. The webshell will use the 7za module to archive files from the Explorer tab, while the nbtscan module allows the webshell to scan the network for systems to build an IP list of system it can interact with. The Spy Check functionality appears at the top right corner of the webshell as a box with a countdown timer. The timer starts at 300 and decrements every second, suggesting that the webshell executes the Spy Check functionality every five minutes. It is unknown what its exact purpose other than either displaying a red box with a spy icon or a green box with a heart icon. It is believed that this functionality was meant to notify the actor in the event that they were using an altered HighShell front end webshell, possibly to avoid using the webshell if it had been detected and modified by a third-party. The Spy Check function begins by reading the .aspx file of the HighShell front end (HighShellLocal.aspx in this case). The Spy Check then generates the SHA256 hash of the HighShell front end and compares it with a hardcoded SHA256 of f35e566e28be5b3257670be6e125eb90814b9cb27df997090cea0b7a22fbd75c to determine if the webshell had been modified. If the hashes do not match, the webshell will display a red box with spy icon. All known samples display the red box with a spy icon, suggesting that the developer of HighShell did not update this functionality during development efforts or that the samples have been modified in some way. The Network Downloader functionality allows the actor to quickly upload user files from remote victim systems. To use this functionality, the actor must provide information within the “Target Computer” portion of the webshell, specifically a network administrator username and password, as well as a list of IP addresses of remote systems added in the “Select Computer” drop down. Before performing the network download, the webshell checks the storage volume on the server that the webshell is running on to determine if it has more than 30 GB of free space. If the server has less than 30 GB of free space the webshell will not perform the activity, which indicates that the developer of the webshell expects a high volume of data downloaded from the victim network. The webshell will iterate through the IP list and perform a series of commands for each IP, starting off with using the following command to connect to the remote system: net use address /user:admin username admin password 2>&1 After connecting to the remote system with net use, the webshell will run the following command to obtain a list of user folders: dir /b address\c$\Users 2>&1 With a list of user folders, the webshell will iterate through the list of users and enumerate all of the files in the following folders: *address\c$\Users\username\Desktop *address\c$\Users\username\Documents *address\c$\Users\username\Downloads The Network Downloader function will gather all the files in these folders and use 7-Zip to compress and archive the files. The webshell will save the archives locally to the server in the C:\Users\Public\Libraries\Recorded\Files folder, each with a filename with the following structure: address_c$_Users_username__Desktop-Documents-Downloads_year-month-day-hours-minutes-seconds.7z It is likely that the threat actors use this functionality to rapidly check for new files created by users on the network. Minion Minion appears to be another webshell related to HighShell, as it contains similar functionality and significant code overlap. Based on the login functionality within Minion, it is believed that the same entities were involved in the development of Minion and HyperShell. To use Minion, the actor must provide the username of admin and a password to authenticate before using the webshell. To authenticate, the password has the string O%tG7Hz57kvWk35$D*)s$1l$pUpLnBw)apHR!xYZWZu7X#^w7$mCArmQMAa&sRBG appended to it as a salt value. The webshell generates the SHA256 hash of the resulting string and base64 encodes it to compare with the hardcoded string of m6m8CCWa/u820mie8bX3HKIx1+WQkB+lbmniyXWKB+8=. The password and salt string must result in a SHA256 hash of 9ba9bc08259afeef36d2689ef1b5f71ca231d7e590901fa56e69e2c9758a07ef to properly authenticate. This is the exact same process used to authenticate/decrypt within HyperShell. Much like HighShell version 8.6.2, Minion includes modules to extend the webshell’s functionality. Attack Campains DNS Hijacking Script In November 2018, Cisco Talos published research on an attack campaign named DNSpionage. It involved attacks using malware to compromise individual endpoints, but most interestingly described an effort to specifically hijack DNS entries of government organizations to redirect visitors to likely malicious, adversary operated systems. Both FireEye and Crowdstrike followed up with their own assessments for the DNS hijacking efforts, and described operations extending back to January 2017. No attribution to any known adversary groups was provided, other than that the target radius was primarily in the Middle East and the adversary was also likely operating out of that region. In this data dump, a tool called webmask is included which appears to be a series of scripts specifically meant to perform DNS hijacking. Based upon the instructional guide and the provided tools, this package appears consistent with the methodologies FireEye outlined in their research on how these attacks were executed, including specific details such as the use of ICAP via a proxy passthrough, in this case specifically squid, and using certbot to create a Let’s Encrypt SSL certificate. In one part of guide.txt, an example target appears to be provided, with a corresponding adversary IP (185.162.235.106) for the legitimate domain to be redirected to. Analysis of this IP provides several interesting data points, including possible relationships to previously observed OilRig infrastructure. Examining the hosting provider shows that the IP is associated with an Iranian hosting provider called NovinVPS. The autonomous system name of the IP shows that the allocation is controlled by Serverius Holding B.V., which is an autonomous system name that has previously seen associated with the OilRig group. In fact, examining the Class C IP block of 185.162.235.0/24 shows at least two other IPs have previously identified as in use by the OilRig group for C2 servers. 185.162.235.29 and 185.162.235.121 and their associated domains, office365-management.com and msoffice-cdn.com respectively. Office365-management.com was first identified in October 2017 as a C2 servers for OilRig operations delivering the ISMInjector backdoor. Category:Group